Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim."— Presentation transcript:

1 Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim Health Care Fifth National HIPAA Summit October 31, 2002

2 Harvard Pilgrim Health Care  Medium size health plan serving MA, NH, and ME  750,000 members  20,000 Providers  As a Multiple Function Covered Entity, HPHC must comply with HIPAA as a(n): –Health Plan – HMO, PPO, Medicare+Choice –Employer –Self Insured Health Plan –Provider – Nashua Medical Group –TPA – we provide this function for some of our Self insured groups

3 eHealth Program  Leverage the web to meet demands for data and transaction simplicity –Better tools, better data, better decisions to create value –Internet may help with customer service - In response to plans offering Internet access, growing numbers of consumers access benefits info online

4 HPHConnect Employer Member Web-Based Application Server Broker & Providers

5 Access Control Review  Security Standard - Access Control –Context, Role Based or User Based Access –Emergency Access  Security Standard - Authorization control –Role Based Access; –User Based Access  Privacy Rule –Role-based access is required –Identify person needing access to what

6 Authentication Rule Review  Entity authentication –Auto logoff –Unique user identification  At least one of the following: –Biometric identification system –A password system –A personal identification number (PIN) –Telephone callback –A token system

7 What’s the Problem  Multiple security models and tools used for authentication and authorization  High cost of support  Different systems = different roles and different identification  Multiple logins using Intranet & Internet  Policy change = changing many systems

8 Solution  Implement an Internet Authentication and Authorization Project –Centralize management and administration of the external user access to we applications –Select commercial software and hardware –Migrate users of web applications for Subscribers, Employers, Brokers, and online billing.  Continue as HPHC Enterprise Security System –Extend to Providers & Member model –Require all new web applications to use –Add Federated Services for web affiliations –Legacy systems integration later on

9 Initial Adoption Plan Integrated with new HPHC Enterprise Security System Not yet integrated with new HPHC Enterprise Security System

10 Component Definitions  Netegrity –Site Minder - overall operational and development environment –Web Agent – Protects secured resources –Policy Server – Maps user roles, security policies, and data to determine privileges –Policy Store – data store for Policy information –Advance Password Services (APS) – complex password rules for specific policies –Identity Management Services (IMS) – User administration delegation - Planned for FY 2003

11 Component Definitions  Novell eDirectory – end user data store, LDAP structure  Why Netegrity & Novell –Industry Leaders in respective functions

12

13 Directory Structure HPHC Employees Subscribers Employers Brokers  Flat structure allows for different security policies and better performance  Different Ids - Business decision to bound user environments  Flat structure allows for different security policies and better performance  Different Ids - Business decision to bound user environments

14 Advanced Password Services  Different rule by constituent  Minimum 8 characters  Can not use username, first name, or last name combinations  Must use at least 1 numeric & 1 alpha  Can not use dictionary word  Can not use strings  Password lockout  Password change & aging

15 Subscriber vs. Member Model  Subscriber – owner of the health plan account –One account for subscriber that contains all family members –Self-service account creation –Supply the following to create an account Social Security Number Date of Birth HPHC Member Number –Re-enter if password is forgotten

16 Subscriber vs. Member Model  Members are individuals identified on a health plan account that have a relationship to a valid subscriber  Member model –Each adult member has own account with health information –Self-service member registration –Send letter with one-time password –Member creates ID & password

17 Federated Identity T he ability to correlate user names between different security infrastructures, is the core technology behind Internet single sign-on (I ‑ SSO), and it also applies to secure Web Services and to SSO solutions within an enterprise.” Giga 2002

18 Protocol and Security Standards  SSL (Secure Socket Layer) –Data encryption (SAML assertions are communicated over bilateral SSL)  SOAP (Simple Object Access Protocol) –Provides an envelope for the SAML messages exchanged between a portal and its affiliates  SAML (Security Assertion Markup Language) –Standard way to describe Web access-control with an open framework for sharing security information on the Internet through XML documents

19 Assertion Authentication Entitlements Internet Initial Authentication SSO www.hospital.com www.xrayservice.com www.pharmacy.com Doctor(s) Federated Identity Service for eHealthcare Primary site with Netegrity SiteMinder deployment Affilaite partner with Netegrity SAML Affiliate Agent deployed Affilaite partner with Netegrity SAML Affiliate Agent deployed Assertion Authentication Entitlements Goal Automate a time consuming and costly manual process (using phone, fax and mail) that Doctors use to review medical images and send in prescriptions Solution Link existing applications into a cross enterprise single sign-on environment while ensuring proper security Solution Link existing applications into a cross enterprise single sign-on environment while ensuring proper security

20 Federated Services Scenario Primary (Source Site)Affiliate (Destination Site) 1. User authenticates at Primary Site directly or through redirection from Affiliate. 2. Primary Site generates SAML authN assertion, stores it in session server, creates SAML artifact. 3. When user clicks on Affiliate link, Primary Site puts SAML artifact on URL query string, followed by target Affiliate resource, e.g., https://www.AffiliateSite.com?SAMLArtifact= &target= 4. Affiliate intercepts request and determines source site’s information from SAML artifact. 5. Affiliate requests full-fledged SAML assertion from Portal thru SOAP message. 6. Portal fetches SAML assertion and sends it to Affiliate thru SOAP message. 7. Affiliate extracts SAML assertion from SOAP message and creates Affiliate’s session. (1) (3) (2) (4) (7)(6) (5) User SOAP Message

21 Future  Web services and web sites managed by one security resources Enterprise Security System Web Site Web Services IVR Legacy

22 Interactive Voice Response (IVR)  An electronic system  Do you disclosure PHI?  If yes, must use authentication  Can be integrated with Netegrity as part of the Enterprise Security System

23 Budgeting For Security: copyright 2002 john klossner, www.jklossner.com

24 Questions?

Download ppt "Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim."

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.

 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Access Control Methodologies

Access Control Methodologies
Implementing and Administering AD FS

Implementing and Administering AD FS
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Case Study: Password Authentication in eHealth Applications

Case Study: Password Authentication in eHealth Applications
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Identity and Access Management

Identity and Access Management
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Integrating CRM On Demand with the E-Business Suite to Supercharge your Sales Team Presented by: Tom Connolly, Jason Lieberman Company: BizTech Session.

Integrating CRM On Demand with the E-Business Suite to Supercharge your Sales Team Presented by: Tom Connolly, Jason Lieberman Company: BizTech Session.

Similar presentations

Ads by Google